diff --git a/infrastructure/docker-compose.gpu-box.yml b/infrastructure/docker-compose.gpu-box.yml index bbfc5a665..3f3cfb609 100644 --- a/infrastructure/docker-compose.gpu-box.yml +++ b/infrastructure/docker-compose.gpu-box.yml @@ -485,9 +485,38 @@ services: retries: 3 start_period: 30s + # ============================================ + # Phase 2f-1 — Verdaccio npm-Registry (2026-05-07) + # @mana/* private packages. Migrated from Mini (was in mana-platform + # repo's infrastructure/docker-compose.macmini.yml). Read-heavy bei + # CI-Builds, latency-unkritisch — perfekt für GPU-Box-Hosting. Config + # lebt jetzt in mana-monorepo's infrastructure/verdaccio/config.yaml, + # sparse-clone trägt das Verzeichnis auf der GPU-Box ein. + # ============================================ + verdaccio: + image: verdaccio/verdaccio:6 + container_name: mana-verdaccio + restart: unless-stopped + ports: + - '4873:4873' + environment: + VERDACCIO_PORT: 4873 + volumes: + - /srv/mana/source/infrastructure/verdaccio/config.yaml:/verdaccio/conf/config.yaml:ro + - verdaccio-storage:/verdaccio/storage + - verdaccio-plugins:/verdaccio/plugins + healthcheck: + test: ['CMD', 'wget', '--quiet', '--tries=1', '--spider', 'http://localhost:4873/-/ping'] + interval: 60s + timeout: 5s + retries: 3 + start_period: 30s + volumes: glitchtip-pg-data: status-output: + verdaccio-storage: + verdaccio-plugins: mana-grafana-data: victoriametrics-data: loki-data: diff --git a/infrastructure/verdaccio/config.yaml b/infrastructure/verdaccio/config.yaml new file mode 100644 index 000000000..c1bae9cc6 --- /dev/null +++ b/infrastructure/verdaccio/config.yaml @@ -0,0 +1,87 @@ +# Verdaccio config — mana e.V. private npm registry. +# Docs: https://verdaccio.org/docs/configuration +# +# Storage layout (writable inside the container): +# /verdaccio/storage — Tar.gz pro Paket-Version + Index-JSONs +# /verdaccio/htpasswd — bcrypt-gehashte User-Credentials + +storage: /verdaccio/storage +plugins: /verdaccio/plugins + +# Network address Verdaccio listens on. Inside the container always 0.0.0.0; +# the host binding (4873) is configured in docker-compose. +listen: 0.0.0.0:4873 + +# --- Web UI ----------------------------------------------------------- +web: + title: mana e.V. — npm registry + gravatar: false + scope: '@mana' + +# --- Authentication --------------------------------------------------- +# htpasswd file lives in the storage volume so it survives container +# restarts. Add users with: +# docker exec mana-verdaccio htpasswd -B /verdaccio/htpasswd +# +# `max_users: -1` disables web-based self-registration. Users come in +# only via htpasswd (admin-controlled). +auth: + htpasswd: + # Lives inside the storage volume so it survives restarts and gets + # backed up with the rest of the registry state. + file: /verdaccio/storage/htpasswd + # No new self-registration. Add users by inserting a row into + # htpasswd manually (`docker exec mana-verdaccio htpasswd -B …`) + # or by flipping this to a positive value briefly. + max_users: -1 + +# --- Public-package proxying ----------------------------------------- +# Verdaccio fetches `hono`, `react`, etc. from npmjs.org on first request +# and caches them in the storage volume. Speeds up subsequent installs +# and gives us continuity if npmjs.org is down. +uplinks: + npmjs: + url: https://registry.npmjs.org/ + cache: true + timeout: 30s + +# --- Access control --------------------------------------------------- +# Pattern matching is first-match. Order matters: @mana/* before ** +# +# `$authenticated` = user logged in via htpasswd +# `$all` = anyone (public anonymous reads) +# +# Our policy: +# @mana/* — only authenticated users can read or publish +# ** — authenticated users can install (proxied from npmjs) +# and the registry never serves these to anonymous reads +# either (we don't run an open mirror for the public) +packages: + '@mana/*': + access: $authenticated + publish: $authenticated + unpublish: $authenticated + proxy: # not proxied — we own the namespace + + '**': + access: $authenticated + publish: $authenticated + proxy: npmjs + +# --- Logging ---------------------------------------------------------- +# Console-only — Docker captures it. For long-term audit (DSGVO Art. 30 +# claim of code-provenance) we'd add file logging in production. +log: { type: stdout, format: pretty, level: http } + +# --- Security ----------------------------------------------------------- +security: + api: + legacy: true + web: + sign: + expiresIn: 7d + verify: + someProp: someValue + +# --- Limits ----------------------------------------------------------- +max_body_size: 50mb